The Expert View: Managing OT cyber-risk

Operational technology (OT) has shifted from a largely isolated domain to a frontline concern for senior executives. As industrial systems become increasingly connected, the risks multiply, from factory shutdowns to utilities outages and even physical explosions.

 

Tim Wallen, RVP North Europe at Claroty, told a TEISS dinner briefing at the House of Lords that OT security lagged behind IT security for many years, with machinery often in place for decades and not even capable of being connected to the internet. This has changed, he told attendees – all senior security experts from a range of sectors. As more OT is connected to the internet, and greater automation is applied, so the risks increase.

 

These days, the CIO is aware of OT risk, Wallen said, and security expectations are increasing across organisations. With industrial systems more exposed, there is plenty of work to be done to strengthen resilience and build the right culture to minimise risk – and to recover should the worst happen.

 

The vulnerabilities discussed around the table were striking. In many cases OT is decades old and often wasn’t designed with security in mind. Long replacement cycles mean organisations are still reliant on legacy systems that were never built to be connected to the internet. “There is more risk in OT than in any IT I’ve ever seen,” remarked one participant.

 

Supply challenges

 

Suppliers and vendors were a common concern. Companies rely on external partners for installation, maintenance and updates, sometimes through black-box systems they cannot fully control. “One vendor patched their systems and broke our EV charging system,” recalled one executive.

 

Others noted that suppliers sometimes put in the contract that monitoring tools cannot be installed on their equipment, which makes security harder. It can also be difficult to conduct regular security tests, attendees said. Ideally, the customer should have the right to have an external security expert test equipment at least annually, at the vendor’s expense – but this isn’t always agreed.

 

Some OT will be in use for decades, so vendors aren’t worried about customers switching to a competitor, which creates lock-in. Attendees said that makes it important to ensure from the outset that you have a good vendor relationship. They said procurement teams must ensure the contract contains the necessary clauses to provide security and flexibility.

 

Security approaches

 

Despite these challenges, many agreed that OT security should be approached much like IT. Simulation exercises, robust isolation and secure connectivity were all cited as essential. Rapid firmware updates were a recurring priority: they must be applied without forcing lengthy shutdowns. Regulation can help but often struggles to keep up with the complexity of operations. “They end up having to take our word for it,” said one participant.

 

Information gathering was considered vital. Organisations should map equipment, usage and security status, sometimes by visiting sites to understand what they are using. Shadow OT and shadow procurement added yet another layer of exposure. “One factory bought machinery on Gumtree,” said an attendee. “It turned out to have malware on it.”

 

At the same time, executives warned that organisations need to identify and monitor “connective nodes”: the points where networks converge and attackers can move laterally between systems. Ensuring those junctions are secured was highlighted as a priority.

 

Information-sharing across sectors was seen as more problematic: OT attacks are often so bespoke that shared data risks exposing vulnerabilities without offering much practical value to others.

 

Managing risk

 

Attendees also emphasised the need for a strong cultural shift. Staff must understand that IT-style security practices are not optional add-ons, but critical to the safe running of operational systems. Too often, the mindset is still limited to “keeping the equipment running”, with little thought about what the threats to that equipment might be.

 

Ultimately, attendees agreed that the heart of the challenge is risk management. Risk should be reduced “as low as is reasonably practical”, supported by a strong organisational culture. Defining ownership is critical: “the risk owner is the person who has the budget to fix the problem,” as one guest noted.

 

While appetite for risk should be set from the top, organisations must be clear about whether individual business units can set their own levels. Sometimes this is necessary – for example, when a new business unit needs to establish itself in the market – but sometimes it creates inconsistency. Clear articulation of risk, and the ability to use that understanding to support colleagues across the business, was seen as essential.

 

Drawing together the discussion, Tim Wallen observed that despite representing very different sectors, participants shared common challenges. The lesson, he argued, was that OT risk cannot be treated as an afterthought. “As risk professionals,” he said, “we need to understand how to articulate risk and use our understanding of risk to help our colleagues.”

 

To learn more, please visit: www.claroty.com